Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-hy24-6xpe-pkb7

Summary

OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
## Summary

Heartbeat owner downgrade missed untrusted webhook wake events.

## Affected Packages / Versions

- Package: `openclaw`
- Ecosystem: npm
- Affected versions: `>= 2026.4.7 < 2026.4.14`
- Patched versions: `>= 2026.4.14`

## Impact

Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving owner-like execution context where the run should have been downgraded.

## Technical Details

The fix includes wake and hook event reasons in owner-downgrade inspection and forces downgrade for untrusted hook wake events.

## Fix

The issue was fixed in #66031. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.

## Fix Commit(s)

- `31281bc92f55796817a92bc43f722cba1e77ab42`
- PR: #66031

## Release Process Note

Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.

## Credits

Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Aliases

alias	CVE-2026-43566

alias	GHSA-g2hm-779g-vm32

Fixed_packages

url pkg:npm/openclaw@2026.4.14

purl pkg:npm/openclaw@2026.4.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14

Affected_packages

url pkg:npm/openclaw@2026.4.7

purl pkg:npm/openclaw@2026.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pbz-8rnx-dkhe

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2g7x-vu14-nkde

vulnerability	VCID-2h6a-becf-x7ej

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-3zwq-dz2u-pqgv

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-4urc-4536-pqhk

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-73cz-n29z-uqem

vulnerability	VCID-75yr-sbce-nkah

vulnerability	VCID-7851-2jv5-3qhq

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-7snr-fn3u-x3b8

vulnerability	VCID-9hcd-uj62-8yeu

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-9xgq-vtg2-jucq

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-arks-g6hw-abbw

vulnerability	VCID-bkya-73v8-bber

vulnerability	VCID-c25h-khws-2fc3

vulnerability	VCID-cbuu-4d6c-rben

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dmse-bb22-rkcj

vulnerability	VCID-dqb2-dej7-augt

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-e4ac-qm17-qbf5

vulnerability	VCID-fuda-zxu8-gbb4

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-haxd-ps1x-h3ch

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-ma62-gtan-97au

vulnerability	VCID-mszk-dr24-xugw

vulnerability	VCID-mv8b-cryt-u3g8

vulnerability	VCID-mxu5-yjqs-nuap

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-ns77-4wfj-9ka6

vulnerability	VCID-ntwt-jkgr-sffu

vulnerability	VCID-nv6g-7gs9-pfan

vulnerability	VCID-nw4r-wjgs-8qc1

vulnerability	VCID-p7gx-9usz-yyew

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-pae5-uyu7-k3c1

vulnerability	VCID-pdmd-a4fg-8fcg

vulnerability	VCID-pj41-sunw-vbcj

vulnerability	VCID-psms-gauf-tkbz

vulnerability	VCID-qedr-a3ay-v3gx

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vy8v-np82-r3b5

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2tj-nqa6-cuam

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-w4p1-sxdg-hyha

vulnerability	VCID-wmr3-83u3-6qdb

vulnerability	VCID-wyat-1259-2kg9

vulnerability	VCID-x2ru-ydpv-f3ah

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

vulnerability	VCID-z8mj-pnbe-wqej

vulnerability	VCID-zg68-u5b5-vkft

vulnerability	VCID-zpte-tgt5-wqcm

vulnerability	VCID-zu4s-jnn3-1kd8

vulnerability	VCID-zunq-wnnf-k3fw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.7

url pkg:npm/openclaw@2026.4.8

purl pkg:npm/openclaw@2026.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2g7x-vu14-nkde

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-7snr-fn3u-x3b8

vulnerability	VCID-9hcd-uj62-8yeu

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-arks-g6hw-abbw

vulnerability	VCID-c25h-khws-2fc3

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dqb2-dej7-augt

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-fuda-zxu8-gbb4

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-mszk-dr24-xugw

vulnerability	VCID-mxu5-yjqs-nuap

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-ns77-4wfj-9ka6

vulnerability	VCID-nv6g-7gs9-pfan

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-pae5-uyu7-k3c1

vulnerability	VCID-pdmd-a4fg-8fcg

vulnerability	VCID-pj41-sunw-vbcj

vulnerability	VCID-qedr-a3ay-v3gx

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2tj-nqa6-cuam

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-wyat-1259-2kg9

vulnerability	VCID-x2ru-ydpv-f3ah

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

vulnerability	VCID-zg68-u5b5-vkft

vulnerability	VCID-zpte-tgt5-wqcm

vulnerability	VCID-zu4s-jnn3-1kd8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8

url pkg:npm/openclaw@2026.4.9-beta.1

purl pkg:npm/openclaw@2026.4.9-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2g7x-vu14-nkde

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-7snr-fn3u-x3b8

vulnerability	VCID-9hcd-uj62-8yeu

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-arks-g6hw-abbw

vulnerability	VCID-c25h-khws-2fc3

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dqb2-dej7-augt

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-fuda-zxu8-gbb4

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-mszk-dr24-xugw

vulnerability	VCID-mxu5-yjqs-nuap

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-ns77-4wfj-9ka6

vulnerability	VCID-nv6g-7gs9-pfan

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-pae5-uyu7-k3c1

vulnerability	VCID-pdmd-a4fg-8fcg

vulnerability	VCID-pj41-sunw-vbcj

vulnerability	VCID-qedr-a3ay-v3gx

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2tj-nqa6-cuam

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-wyat-1259-2kg9

vulnerability	VCID-x2ru-ydpv-f3ah

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

vulnerability	VCID-zg68-u5b5-vkft

vulnerability	VCID-zpte-tgt5-wqcm

vulnerability	VCID-zu4s-jnn3-1kd8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9-beta.1

url pkg:npm/openclaw@2026.4.9

purl pkg:npm/openclaw@2026.4.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2g7x-vu14-nkde

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-7snr-fn3u-x3b8

vulnerability	VCID-9hcd-uj62-8yeu

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-c25h-khws-2fc3

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dqb2-dej7-augt

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-fuda-zxu8-gbb4

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-k8x3-9pv7-rfax

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-mszk-dr24-xugw

vulnerability	VCID-mxu5-yjqs-nuap

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-ns77-4wfj-9ka6

vulnerability	VCID-nv6g-7gs9-pfan

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-pae5-uyu7-k3c1

vulnerability	VCID-pj41-sunw-vbcj

vulnerability	VCID-qedr-a3ay-v3gx

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-rvcq-rqbq-4khp

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-wyat-1259-2kg9

vulnerability	VCID-x2ru-ydpv-f3ah

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

vulnerability	VCID-zg68-u5b5-vkft

vulnerability	VCID-zpte-tgt5-wqcm

vulnerability	VCID-zu4s-jnn3-1kd8

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9

url pkg:npm/openclaw@2026.4.10

purl pkg:npm/openclaw@2026.4.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-q3a2-qk5j-1yat

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10

url pkg:npm/openclaw@2026.4.11-beta.1

purl pkg:npm/openclaw@2026.4.11-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.11-beta.1

url pkg:npm/openclaw@2026.4.11

purl pkg:npm/openclaw@2026.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.11

url pkg:npm/openclaw@2026.4.12-beta.1

purl pkg:npm/openclaw@2026.4.12-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-2khh-wv8p-97ff

vulnerability	VCID-2mxq-krq5-bycx

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-6y5w-am4s-6qa5

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-9kgh-wj9w-ykff

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12-beta.1

url pkg:npm/openclaw@2026.4.12

purl pkg:npm/openclaw@2026.4.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12

url pkg:npm/openclaw@2026.4.14-beta.1

purl pkg:npm/openclaw@2026.4.14-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29a1-7ar7-67e1

vulnerability	VCID-2c8p-gbaw-3ye4

vulnerability	VCID-3xmj-n798-x3cw

vulnerability	VCID-4316-7q9a-xuhx

vulnerability	VCID-4u3z-rs45-gbhe

vulnerability	VCID-6cfj-zugb-7uhq

vulnerability	VCID-6wth-qthz-yud8

vulnerability	VCID-7akj-469t-57hz

vulnerability	VCID-a46u-tnbh-fyhs

vulnerability	VCID-a4jz-y9s4-zkfg

vulnerability	VCID-dfdk-dhwf-9yaj

vulnerability	VCID-dv5s-pvw1-a7fu

vulnerability	VCID-e25p-j5ed-yqfz

vulnerability	VCID-gk95-28x9-17dk

vulnerability	VCID-gkyv-ahk7-1ud3

vulnerability	VCID-h9a4-1twb-d7d1

vulnerability	VCID-hphn-8fnj-qkh2

vulnerability	VCID-hy24-6xpe-pkb7

vulnerability	VCID-hz33-9efv-c7ef

vulnerability	VCID-jshg-1pb2-wbak

vulnerability	VCID-k8s8-zjv4-gqdb

vulnerability	VCID-kcy2-a98b-uyg7

vulnerability	VCID-kxmf-d7w1-xfcv

vulnerability	VCID-nkh4-j2pe-1qhr

vulnerability	VCID-p8xd-2um4-9ufr

vulnerability	VCID-rr6t-1193-ybgz

vulnerability	VCID-ry1r-br3q-2uaw

vulnerability	VCID-t2ve-xemk-mqa9

vulnerability	VCID-t2yy-9ume-t7be

vulnerability	VCID-vz7k-r7c4-ebfg

vulnerability	VCID-w2yd-uw91-9yck

vulnerability	VCID-xj73-kszs-yygp

vulnerability	VCID-xsct-xjs7-nbab

vulnerability	VCID-y65g-4baa-a7c2

vulnerability	VCID-ye4t-n6r3-67ab

vulnerability	VCID-yhpq-5qy3-y7bn

vulnerability	VCID-ymmv-2qmq-6kap

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14-beta.1

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-43566

reference_id

reference_type

scores

value	0.00147
scoring_system	epss
scoring_elements	0.34866
published_at	2026-06-05T12:55:00Z

value	0.0016
scoring_system	epss
scoring_elements	0.36711
published_at	2026-06-06T12:55:00Z

value	0.0016
scoring_system	epss
scoring_elements	0.36648
published_at	2026-06-09T12:55:00Z

value	0.0016
scoring_system	epss
scoring_elements	0.36638
published_at	2026-06-08T12:55:00Z

value	0.0016
scoring_system	epss
scoring_elements	0.36675
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-43566

reference_url

https://github.com/openclaw/openclaw

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/openclaw/openclaw

reference_url

https://github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	9.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:28:26Z/

url

https://github.com/openclaw/openclaw/commit/31281bc92f55796817a92bc43f722cba1e77ab42

reference_url

https://github.com/openclaw/openclaw/pull/66031

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/openclaw/openclaw/pull/66031

reference_url

https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	9.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:28:26Z/

url

https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-43566

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-43566

reference_url

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	9.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:28:26Z/

url

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-untrusted-webhook-wake-events

reference_url

https://github.com/advisories/GHSA-g2hm-779g-vm32

reference_id

GHSA-g2hm-779g-vm32

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g2hm-779g-vm32

Weaknesses

cwe_id	184
name	Incomplete List of Disallowed Inputs
description	The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

cwe_id	863
name	Incorrect Authorization
description	The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 4.0 - 9.1

Exploitability 0.5

Weighted_severity 8.2

Risk_score 4.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hy24-6xpe-pkb7

Vulnerability Instance